From 13f5ef3532cda423aa47a7757c21fdb75f447e29 Mon Sep 17 00:00:00 2001
From: Justin Santa Barbara <justin@fathomdb.com>
Date: Sun, 18 Dec 2016 16:03:55 -0500
Subject: [PATCH] Fix API ELB security group rules

---
 pkg/model/api_loadbalancer.go | 18 +++++++++++++++---
 1 file changed, 15 insertions(+), 3 deletions(-)

diff --git a/pkg/model/api_loadbalancer.go b/pkg/model/api_loadbalancer.go
index c0c91ba7baf4d..db6d8df20f979 100644
--- a/pkg/model/api_loadbalancer.go
+++ b/pkg/model/api_loadbalancer.go
@@ -98,13 +98,12 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 		c.AddTask(t)
 	}
 
-	// Allow HTTPS to the master instances from the ELB
+	// Allow traffic into the ELB from APIAccess CIDRs
 	{
 		for _, cidr := range b.Cluster.Spec.APIAccess {
 			t := &awstasks.SecurityGroupRule{
 				Name:          s("https-api-elb-" + cidr),
-				SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster),
-				SourceGroup:   b.LinkToELBSecurityGroup("api"),
+				SecurityGroup: b.LinkToELBSecurityGroup("api"),
 				CIDR:          s(cidr),
 				FromPort:      i64(443),
 				ToPort:        i64(443),
@@ -114,6 +113,19 @@ func (b *APILoadBalancerBuilder) Build(c *fi.ModelBuilderContext) error {
 		}
 	}
 
+	// Allow HTTPS to the master instances from the ELB
+	{
+		t := &awstasks.SecurityGroupRule{
+			Name:          s("https-elb-to-master"),
+			SecurityGroup: b.LinkToSecurityGroup(kops.InstanceGroupRoleMaster),
+			SourceGroup:   b.LinkToELBSecurityGroup("api"),
+			FromPort:      i64(443),
+			ToPort:        i64(443),
+			Protocol:      s("tcp"),
+		}
+		c.AddTask(t)
+	}
+
 	for _, ig := range b.MasterInstanceGroups() {
 		t := &awstasks.LoadBalancerAttachment{
 			Name: s("api-" + ig.ObjectMeta.Name),